• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 6595 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Expand nTSecurityDescriptor attribute on group object

frank m.
over 16 years ago

Hi,


we want to add the nTSecurityDescriptor attribute on group objects via the Active Roles (5.2.4) Web Interface.

Our problem is, that we only see the three right "read", "write" and "full control" (see attached file "ntsecuritydescriptorAR.jpg"), when we add the attribute to the Web Interface.

If I control these attribute via Active Directory, I have much more rights to select (see attached file "ntsecuritydescriptor.jpg).


Why can't we see these "additional" right via the Active Roles Web Interface?

Is there a special "edsa attribute" for this?


regards

frank

Additional Attachments:

ntsecuritydescriptorAR.jpg

  • 0 over 16 years ago
    ARS Web UI does not support editing AD permissions, only file and share permissions.
    Technically, Web UI can't present so-called "object-specific" Access Control Entries (see this MSDN article for details: msdn2.microsoft.com/.../aa379293(VS.85).aspx).

    What scenario do you need to cover? Probably, I would be able to suggest a solution here.



  • 0 over 16 years ago

    Hi Andrei,

    in our environment, we have one centralized it-team and several decentralized it-teams. the decentrlized teams can only use the actice roles webinterface to manage their ad objects. Each team have access to their own OU.

    In this specific szenario, the dezentralized admins must have the ability, to delegate rights like "Add/Remove Self as Member" or "Send as" to distribution groups.

    Without this ability the decentralized admins must contact us (central it team) and we must set theses rights.

    Regards
    Frank

  • 0 over 6 years ago
    Hi Frank, digging out this old rat... Did you manage to configure this as I'm struggling with this ability for our Helpdesk as well.
  • 0 over 6 years ago
    For the records: I was able to solve the SendAs issue by creating / altering an access template permitting read/write for the helpdesk group to edsvaSendAsTrustees and customized the WI to display and edit this.
  • 0 over 6 years ago
    Good job! It's always worth a look to see if there exists an AR "calculated" virtual attribute that can help to simplify some of the more complex AD ones.